Skip to site navigation (Press enter)

[webkit-changes] [190585] trunk

rniwa Mon, 05 Oct 2015 15:49:50 -0700

Title: [190585] trunk

Revision: 190585
Author: [email protected]
Date: 2015-10-05 15:49:34 -0700 (Mon, 05 Oct 2015)

Log Message

ShadowRoot with leading or trailing white space cause a crash
https://bugs.webkit.org/show_bug.cgi?id=149782


Reviewed by Chris Dumez.

Source/WebCore:

Fixed the crash by adding a null pointer check since a TextNode that appears as a direct child
of a ShadowRoot doesn't have a parent element.

Test: fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html

* style/RenderTreePosition.cpp:
(WebCore::RenderTreePosition::previousSiblingRenderer):

LayoutTests:

Added a regression test.

* fast/shadow-dom/shadow-root-with-child-whitespace-text-crash-expected.txt: Added.
* fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/style/RenderTreePosition.cpp

Added Paths

trunk/LayoutTests/fast/shadow-dom/shadow-root-with-child-whitespace-text-crash-expected.txt
trunk/LayoutTests/fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (190584 => 190585)


--- trunk/LayoutTests/ChangeLog	2015-10-05 22:35:54 UTC (rev 190584)
+++ trunk/LayoutTests/ChangeLog	2015-10-05 22:49:34 UTC (rev 190585)
@@ -1,3 +1,15 @@
+2015-10-02  Ryosuke Niwa  <[email protected]>
+
+        ShadowRoot with leading or trailing white space cause a crash
+        https://bugs.webkit.org/show_bug.cgi?id=149782
+
+        Reviewed by Chris Dumez.
+
+        Added a regression test.
+
+        * fast/shadow-dom/shadow-root-with-child-whitespace-text-crash-expected.txt: Added.
+        * fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html: Added.
+
 2015-10-05  Jiewen Tan  <[email protected]>
 
         Cleaning up after revision 190339

Added: trunk/LayoutTests/fast/shadow-dom/shadow-root-with-child-whitespace-text-crash-expected.txt (0 => 190585)


--- trunk/LayoutTests/fast/shadow-dom/shadow-root-with-child-whitespace-text-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/shadow-root-with-child-whitespace-text-crash-expected.txt	2015-10-05 22:49:34 UTC (rev 190585)
@@ -0,0 +1,3 @@
+This tests creating a shadow root with leading and trailing white spaces. WebKit should not crash. You should see PASS below.
+
+PASS

Added: trunk/LayoutTests/fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html (0 => 190585)


--- trunk/LayoutTests/fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html	2015-10-05 22:49:34 UTC (rev 190585)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>
+This tests creating a shadow root with leading and trailing white spaces.
+WebKit should not crash. You should see PASS below.
+</p>
+<div id="host">PASS</div>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var host = document.getElementById('host');
+host.attachShadow({mode: 'closed'}).innerHTML = ' <slot></slot> ';
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (190584 => 190585)


--- trunk/Source/WebCore/ChangeLog	2015-10-05 22:35:54 UTC (rev 190584)
+++ trunk/Source/WebCore/ChangeLog	2015-10-05 22:49:34 UTC (rev 190585)
@@ -1,3 +1,18 @@
+2015-10-02  Ryosuke Niwa  <[email protected]>
+
+        ShadowRoot with leading or trailing white space cause a crash
+        https://bugs.webkit.org/show_bug.cgi?id=149782
+
+        Reviewed by Chris Dumez.
+
+        Fixed the crash by adding a null pointer check since a TextNode that appears as a direct child
+        of a ShadowRoot doesn't have a parent element.
+
+        Test: fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html
+
+        * style/RenderTreePosition.cpp:
+        (WebCore::RenderTreePosition::previousSiblingRenderer):
+
 2015-10-05  Beth Dakin  <[email protected]>
 
         Build fix.

Modified: trunk/Source/WebCore/style/RenderTreePosition.cpp (190584 => 190585)


--- trunk/Source/WebCore/style/RenderTreePosition.cpp	2015-10-05 22:35:54 UTC (rev 190584)
+++ trunk/Source/WebCore/style/RenderTreePosition.cpp	2015-10-05 22:49:34 UTC (rev 190585)
@@ -62,8 +62,10 @@
         if (renderer && !RenderTreePosition::isRendererReparented(*renderer))
             return renderer;
     }
-    if (PseudoElement* before = textNode.parentElement()->beforePseudoElement())
-        return before->renderer();
+    if (auto* parent = textNode.parentElement()) {
+        if (auto* before = parent->beforePseudoElement())
+            return before->renderer();
+    }
     return nullptr;
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes